The TL;DR Guide to Data Protection in Law Firms

By Jared D. Correia

In the last decade, as the cloud has become preeminent, the pace of regulation has increased along with technology advancement. Lawyers now are subject to federal and state regulations, as well as local ethics rules, respecting their use of technology, including obligations related to the data they store and maintain for clients. The ABA Standing Committee on Ethics and Professional Responsibility’s Formal Opinion 477R (tinyurl.com/y79grt7w) covers in detail a significant number of these rules and regulations and ends up by restating as recommendations that lawyers should follow the dictates of the more comprehensive state law regimes. But even this document doesn’t detail specific requirements attaching to the attorney in, say, Mobile, Alabama. For that Mobile-based attorney, reading through all the statutes, regulations, ethics rules, and comments that govern his relationship to his clients’ data is still a massive chore, and given the technical complexity of the systems involved, he may exit the process without much additional understanding of what, practically, he is obligated to do regarding his actual technology systems.

Enter the TL;DR guide.

The term “TL;DR,” for those less woke, is Internet vernacular for “too long; didn’t read.” And while we would never recommend that lawyers entirely skip the stage of familiarizing themselves with the particular ethics rules of their jurisdiction, they may find that an overview of some general principles will help them to understand where a particular rule fits into the overall framework of their ethical responsibilities respecting technology.

So, the challenge, in this instance, is to produce a guide that is not too long a read, and that focuses on practical tactics for data management compliance. This is sort of like the Goldilocks problem; let’s hope we can find the right chair.

Let me start out by saving you some reading: Most of the rules and laws on the subject of data protection require/advocate for a reasonableness approach. In many cases, making your best effort is half the battle. But what you’ll find is that technical compliance is not so technical as you might have supposed.

As to technical compliance, there are five items that should appear on your checklist for attaining (and maintaining) data security in your law firm.

1. Access Control

One of the most important things about data management in a law firm is making sure that only the people who should have access to client data (or the data of a particular client) have it. This issue rears its head in several places. Primarily, you want only employees or contractors to have access to law firm systems in which client data is stored. That’s the easy one. There may be cases, however, where this discussion becomes more granular. What happens when an attorney has to be screened from only a single client, or from one case? How do you wall off support staff or associates from financial records while providing access to case information and time and billing data, when necessary? How do you provide clients and colleagues access to specific files without having to provide them access to your internal software systems? Fortunately, there are technical solutions to all these problems, and problems like them, that do not require coding or a computer science degree.

In the first instance, it is essential to have strong passwords in place on your devices and for your software applications. It is tempting for solo lawyers especially to avoid the use of passwords in order to save some time logging in; but just because you work by yourself does not guarantee that bad actors are not lurking to get at your data, if the opportunity arises. If you don’t add a password for accessing your smartphone, for example, and you then leave it behind in an Uber, you’ve totally exposed your business—and all because you didn’t want to take the time to key in a four- or six-number combination. Adding the password is the first step, of course; but that doesn’t mean that you can take the easy way out with a password that is too simple and easy to guess. Six zeroes for your smartphone password is not going to get it done. “Password” (or even the slightly trickier “password123”) won’t do it, either. Does it comport with a reasonable effort, choosing the simplest possible password to protect your law firm data? Probably not.

Adding a reasonable level of effort to your password security, however, does not require anything particularly strenuous. Build into your passwords some number (a “3” replaces an “E”), or use passphrases instead—these are long strings of words that have meaning in combination for you, but not for others. And, if you have trouble remembering all that, there are further technological aids to assist: Password managers load online passwords automatically when you log in with a master password. Certainly, in some cases, there is relatively little leeway in terms of what you can do with a password (if it’s a four-number code, it’s a four-number code); but, until biometric identification, including advances such as facial or fingerprint recognition, become the norm, you’re stuck applying a reasonable level of effort in securing your data via strong (or at least “stronger”) passwords.

As a business owner, your obligations will often extend to managing the way that others manage their passwords. So, you’ll want to create and provide oversight regarding specific password creation and maintenance rules that ultimately become codified in a policies and procedures manual. This can be done with the assistance of an IT vendor, who may also be able to help you to draft and institute a policy. But, even if you do this on your own, the idea is to make sure that, in addition to allowing the right persons access, the wrong persons are denied access; the shadow portion of this equation involves removing access for employees, contractors, or vendors who leave your employ or are terminated. Never changing your shared passwords, for example, means that there is a vapor trail of former staff who could continue to access your data, for whatever purpose they wish, for as long as they want.

Eating a whole pie can be gratifying—until you throw up everywhere. Making the effort to create slices separates the men from the boys, the women from the girls, when it comes to data security. In terms of excluding access to individual cases or case types, modern technology, especially case management systems, makes it easier than ever before to assign staff to particular cases but not to others. Using default settings, you can wall off staff from specific matters, as well as accounting-related tabs. If your accounting system is separate from your case management system, it’s even easier to do that. If you’re not using a modern case management system, and have instead opted to use, say, productivity software, including e-mail, to manage your cases and clients, then this process will be far clunkier, and you’ll be left to make a choice between convenience and due care. It would have been staggering to a law firm, even a decade ago, to have access to a commonplace system through which access could be ramped up or down, on the individual level, while providing holistic access to subscribers via the cloud. And this may be the most striking intersection of law and technology there is to date: While these rules exist and proliferate, there are nonetheless clear solution points for lawyers across the industry.

Thus far, we’ve discussed internal access. When the subject turns to external access, it’s often an intimation of crisis: a desire to keep the baddies—nameless, faceless hackers—out. More often than not, though, law firms are looking to offer secure access to data to their clients and colleagues. Prior to the advent of cloud services, this was much harder to accomplish. But now, those just-mentioned case management systems more often than not come linked with a “client portal” through which you can easily pass information to clients and attorney colleagues via an encrypted holding space, managed and maintained by the same provider you trust to manage your internal client data. Using a case management portal is also efficient because it does not require a subscription to, or use of, an additional system. This, of course, does not mean that you can’t utilize a stand-alone document repository for this process. Microsoft and Google are just two of many providers that offer cloud drives through which you can share encrypted data with specified persons. Using a system that offers document management features such as version control makes collaboration easier in these environments. An additional advantage of portals is that you can avoid sending information via e-mail, which is inherently unsecure, given that the path from one e-mail in-box to another is often circuitous and potentially never the same twice.

2. Encryption

Lawyers have a general understanding of what encryption is: A password is applied to a file, and that password is needed to view said file’s contents. The scrambling of the data, the “encrypting” part of it, is not something you need to worry about, though. At this point in time, encrypting single files is a straightforward process (select the option, choose a password, save the file); and for processing multiple files, there are numerous easy-to-use tools at the ready. This is to the good because every major regulation or rule respecting data security makes encryption a sine qua non. In terms of how law firms should manage it, there are two places to look: systems and processes; with respect to processes, the question may become one of volume.

When considering how to encrypt your systems, keep in mind that many software platforms will encrypt data by default. Cloud-based software tools, such as the case management systems and document archives addressed above, encrypt system data as a matter of course. If you’re accessing data via the web, check the beginning of the URL; if it says “https,” your information is encrypted. The “s” stands for secure. Of course, you’ll not want this to be a surprise: You should know that a system is encrypted before you buy into it, even if most consequential providers do encrypt your data. If this level of security is not enough for you, there is the option to pre-encrypt your data; in other words, you’re placing encryption on your files before you upload them to somewhere else, securing those files from the (potential) prying eyes of vendors, who would otherwise apply (and know, and could break) the encryption themselves. So-called zero-knowledge databases offer this solution as a product feature: You encrypt, they host. However, if you’re using a system like this, be sure to retain your encryption code or password because you are the backup in this scenario.

Even if the clear trend is for the conversion of law firms to virtual environments, in some instances you’re likely to maintain at least certain files on physical devices, such as laptops, tablets, or smartphones. If you use your device as a file repository, you could encrypt each file, but this can be a time-consuming process, and it’s probably easier to encrypt the whole shooting match. For laptops, you can use Mac’s FileVault or Microsoft’s BitLocker to encrypt your hard drive. For tablets and smartphones, ask your provider for options. In sum, this is the equivalent of creating a large, bank-sized vault for your files, rather than setting up and locking individual file cabinets.

Now, if you do use encrypted repositories such as client portals or file repositories, you can pass data through these systems and never need to affirmatively encrypt anything. But if these systems are not available to you, that likely means that you’re e-mailing—and those attachment files need to be secured. Then the question of encryption begins to center on volume. If you irregularly encrypt files, you may be able to accomplish it on an as-needed basis; but if you’re regularly sending files or file “packages” via e-mail, you may wish to consider a built-in e-mail encryption tool through which you can manually set encryption for an e-mail and its contents (including attachments), or automate the process by establishing specific triggers (e.g., encrypt when a Social Security Number is found). It is important that you establish a process for encrypting state-specified or rule-specified information sets, whether you do it the long way or the short way.

3. Vetting

Technology safeguards begin and end with the tools used to apply them, such that effectively vetting service providers is an absolute necessity. Of course, this is not a new requirement for law firms, just an extension of prior advice and presumptions: Any vendor you use to help you manage your law firm data is a reflection on your business, such that you should take due care in selecting any vendors. Those vendors who would ostensibly manage and secure your data deserve particular scrutiny. In many jurisdictions, and also at the national level, formal and informal opinions offer suggestions on questions you should ask before engaging a vendor.

In order to save you some suspense, let me just tell you some of the more important considerations: Understand when and how the vendor may release your data to third parties. Ask for the vendor’s security audits. Find out whether a state rule requires that a specific clause be added to your vendor contract, and get it added if it needs to be there. Inquire whether the vendor provides data redundancy (backup), including geographical redundancy—are there servers in California and Virginia, in case one coast falls into the ocean? Remember to keep notes on your vetting procedures, and archive those; even if your state doesn’t require you to do so, it can be your best defense against legal and ethics authorities. Never settle on one vendor before surveying the market. Always choose from at least three options.

4. Planning

Even if your state does not require it, develop a data management plan and choose someone at your office to quarterback it.

5. Sharing

Your fee agreements should include a clause that details the type of technology you use and allows your client to opt out of specific tools. This affords an opportunity for you to talk to your clients about the importance of data security in your practice.

After all, this is your client’s data, and your solemn obligation is to be an effective steward of it.

Make these five points the core components of your data security plan, and you will have upheld this obligation.